Overview
While certain sectors of the EU economy, such as the energy and transport sectors, are already regulated by sector-specific Union legal acts, those legal acts contain provisions which relate only to certain aspects of resilience of entities operating in those sectors.
In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, this Directive creates an overarching framework that addresses the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.
The growing interdependencies between infrastructure and sectors are the result of an increasingly cross-border and interdependent network of service provision using key infrastructure across the EU in the energy, transport, banking, drinking water, waste water, production, processing and distribution of food, health, space, financial market infrastructure and digital infrastructure sectors and in certain aspects of the public administration sector.
According to Article 1 (Subject matter and scope), the Critical Entities Resilience Directive (CER):
(a) lays down obligations on Member States to take specific measures aimed at ensuring that services which are essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market, in particular obligations to identify critical entities and to support critical entities in meeting the obligations imposed on them;
(b) lays down obligations for critical entities aimed at enhancing their resilience and ability to provide services in the internal market;
(c) establishes rules:
(i) on the supervision of critical entities;
(ii) on enforcement;
(iii) for the identification of critical entities of particular European significance and
on advisory missions to assess the measures that such entities have put in place
to meet their obligations under Chapter III;
(d) establishes common procedures for cooperation and reporting on the application of this Directive;
(e) lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market.
Who must comply with the Critical Entities Resilience Directive (CER)?
According to Article 2 (Definitions) of the Critical Entities Resilience Directive (CER), ‘critical entity’ means a public or private entity which has been identified by a Member State as belonging to one of the categories:
1. Energy.
a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.
b. District heating and cooling.
— Operators of district heating or district cooling.
c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.
d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.
e. Hydrogen.
— Operators of hydrogen production, storage and transmission.
2. Transport.
a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.
b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.
c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).
d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.
3. Banking.
— Credit institutions.
4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).
5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).
6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.
7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.
8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.
9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.
10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.
11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.
Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the Directive or not.
Our Briefings for the Board:
We offer custom briefings for the Board of Directors and executive management, tailored to the specific needs of each legal entity. Our briefings can be short and comprehensive (60 minutes), or longer, depending on the needs, the content of the program and the case studies.
Alternatively, you may choose one of our existing briefings:
1. The Critical Entities Resilience Directive (CER) for the Board of Directors and executive management of EU legal entities.
2. Understanding the extraterritorial application of EU law and the equivalence decisions of the European Commission.
You can find all information below.
Delivery format of the training program
a. In-House Instructor-Led Training program - designed and tailored for persons working for a specific company or organization (Board members, executive management, risk managers and employees etc.). In all In-House Instructor-Led Training programs an instructor from Cyber Risk GmbH that is approved by the Client travels to the location chosen by the Client and leads the class according to the needs of the Client and the Contract.
b. Online Live Training program - synchronous (real time, not pre-recorded) training program that takes place in a live virtual meeting room using platforms like Zoom, Webex, Microsoft Teams etc. In all Online Live Training programs, instructors from Cyber Risk GmbH that are approved by the Client tailor the method of delivery (interactive, non-interactive, etc.) to the needs of the Client, lead the virtual class, and answer questions according to the needs of the Client and the Contract.
c. Video-Recorded Training program - professional, pre-recorded training program. Instructors from Cyber Risk GmbH that are approved by the Client tailor the training content according to the needs of the Client and the Contract, and they record the training content in a professional studio. The training material (including any subsequent updates) is licensed by Cyber Risk GmbH to the Client for training purposes. Clients can incorporate the recorded videos to their internal learning system. Video-Recorded Training programs include Orientation Video Training and Compliance Video Training programs.
1. The Critical Entities Resilience Directive (CER) for the Board of Directors and executive management of EU legal entities.
Course Synopsis
- Are you sure we must comply with the Critical Entities Resilience Directive (CER)? Where can we find this information?
- Subject matter and scope.
- Understanding the important definitions.
- What is ‘critical infrastructure’ and ‘essential service’?
The obligation for each EU Member State to adopt a strategy for enhancing the resilience of critical entities.
- The strategic objectives and policy measures.
- Risk assessment by Member States.
Criteria for the identification of critical entities.
- the entity provides one or more essential services,
- the entity operates, and its critical infrastructure is located, on the territory of a Member State,
- an incident would have significant disruptive effects on the provision by the entity of one or more essential services.
Criteria for the identification of significant disruptive effects.
- the number of users relying on the essential service provided by the entity concerned,
- the extent to which other sectors and subsectors depend on the essential service in question,
- the impact that incidents could have, in terms of degree and duration, on economic and societal activities, the environment, public safety and security, or the health of the population,
- the entity’s market share in the market for the essential service or essential services concerned,
- the geographic area that could be affected by an incident, including any cross-border impact, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, remote regions or
mountainous areas,
- the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service.
Competent authorities and single point of contact.
Cooperation between Member States.
Risk assessment by critical entities, within nine months of receiving the notification.
- Risk assessment by critical entities whenever necessary subsequently, and at least every four years, to assess all relevant risks that could disrupt the provision of their essential services (‘critical entity risk assessment’).
- Risk assessment for all the natural and man-made risks which could lead to an incident, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, hybrid threats and other antagonistic threats, including terrorist offences.
- Resilience measures of critical entities.
Background checks on persons who:
- hold sensitive roles in or for the benefit of the critical entity, in particular in relation to the resilience of the critical entity,
- are authorised to directly or remotely access its premises, information or control systems, including in connection with the security of the critical entity,
- are under consideration for recruitment to sensitive positions.
Incident notification.
- initial notification no later than 24 hours after becoming aware of an incident,
- detailed report no later than one month thereafter.
The new Critical Entities Resilience Group.
- it supports the Commission and facilitates cooperation among Member States,
- it supports the exchange of information on issues relating to this Directive,
- it is analysing the strategies in order to identify best practices,
- it is composed of representatives of the Member States and the Commission who hold security clearance, where necessary.
Supervision and enforcement.
- on-site inspections of the critical infrastructure and the premises that the critical entity uses to provide its essential services,
- off-site supervision of measures taken by critical entities,
- audits in respect of critical entities.
- penalties.
- Other new EU directives and regulations that introduce compliance challenges.
- Closing remarks.
Target Audience
The program is beneficial to the Board of Directors and the CEO of entities in the scope of the CER Directive.
Duration
One hour to half day, depending on the needs, the content of the program and the case studies.
Delivery format of the training program
a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.
Instructor
Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.
George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf
Terms and conditions.
You may visit: https://www.cyber-risk-gmbh.com/Terms.html
2. Understanding the extraterritorial application of EU law and the equivalence decisions of the European Commission.
Course Synopsis
The terms ‘extraterritoriality’ and ‘extraterritorial jurisdiction’ refer to the competence of a country to extend its legal powers beyond its territorial boundaries, and to make, apply and enforce rules of conduct in respect of persons, property or events beyond its territory.
The Sarbanes-Oxley Act of 2002, for example, applies to foreign auditors and foreign companies whose securities are listed in a US stock exchange.
Extraterritorial application of EU law is the application of EU provisions outside the territory of the EU, resulting from EU unilateral legislative and regulatory action.
For example, according to EU’s General Data Protection Regulation (GDPR), non-EU data controllers and processors in any country, must comply with the GDPR obligations, if they offer goods or services to individuals in the EU.
Anu Bradford, Professor of Law in Columbia Law School, is the author of the book “The Brussels Effect: How the European Union Rules the World” (2020), that was named one of the best books of 2020 by Foreign Affairs.
In 2012, she introduced the concept of the ‘Brussels Effect’, that describes Europe’s unilateral power to regulate global markets.
Anu Bradford explains why most global corporations choose to adopt the European laws, regulations and standards in the design and operation of their products and services.
The EU standards are generally stricter, and in most cases, when you comply with EU rules, you comply with laws and regulations around the world.
Even when this approach is more costly, global corporations prefer to have an enterprise-wide, single mode of production and operations, and to market their goods and services globally.
Following the doctrine "you comply with EU rules, you comply around the world", global corporations and service providers need professionals that understand the EU laws, regulations, standards and guidelines.
When the European Commission determines that the regulatory or supervisory regime of a non-EU country is equivalent to the corresponding EU framework:
- allows authorities in the EU to rely on supervised entities' compliance with equivalent rules in a non-EU country,
- reduces or eliminates overlaps in compliance requirements for both EU and non-EU entities,
- makes services and products of non-EU companies accepted in the EU,
- allows third-country firms to provide services without establishment in the EU single-market.
We will discuss what happens when the European Commission determines that the regulatory or supervisory regime of a non-EU country is not equivalent to the corresponding EU framework, or when the European Commission has not yet determined if the regulatory or supervisory regime of a non-EU country is equivalent.
We can understand better equivalence decisions from the experience we have with the Accounting Directive, the Audit Directive, the Capital Requirements Regulation (CRR), the Credit Rating Agencies Regulation, the European Market Infrastructure Regulation (EMIR), the Market Abuse Regulation (MAR), the Markets in Financial Instruments Directive (MiFID II), the Markets in Financial Instruments Regulation (MiFIR), the Prospectus Directive, the Solvency II Directive and the Transparency Directive.
After this presentation, the Board and executive management will have a clear understanding or what is mandatory and what is "nice to have", and the consequences of non-compliance.
Target Audience
The program is beneficial to the Board of Directors and the CEO of entities in the scope of the CER Directive.
Duration
One hour to half day, depending on the needs, the content of the program and the case studies.
Delivery format of the training program
a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.
Instructor
Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.
George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf
Terms and conditions.
You may visit: https://www.cyber-risk-gmbh.com/Terms.html